Silvio Micali is an MIT professor and Turing Award–winning cryptographer known for his work in technologies that form the bedrock of blockchains today: public-key cryptosystems, digital signatures, pseudorandomness and multiparty computations. He is also the co-inventor of the zero-knowledge proof.

In the ’90s, he worked on Byzantine agreement, a protocol for getting nodes in a distributed system to agree on a state change. And in 2012, he and long-time collaborator Shafi Goldwasser were co-recipients of the A.M. Turing Award, essentially, the “Nobel Prize in computing.”

Upon learning about Bitcoin three years ago, Micali turned his attention from mechanism design, which had consumed him for the previous seven years, and dove headlong into creating a proof-of-stake algorithm. His project is called Algorand.

Put simply, Algorand relies on a novel form of Byzantine agreement with only nine expected steps. In each step, committee members, chosen at random in a private lottery, are replaced. The result is a high-security system with a negligible risk of forks.

According to Micali, recent tests show Algorand can process 2 MB blocks in 17 seconds, compared to Bitcoin, which produces a 1 MB block every 10 minutes. (A paper on these results will be presented at SOSP, the biennial ACM Symposium on Operating Systems Principles, later this month.)

In an interview with Bitcoin Magazine, Micali explained why he thinks proof of stake is superior to proof of work, the consensus algorithm that underlies most cryptocurrencies today, including Bitcoin and Ethereum. Although Ethereum, more often viewed as a smart contract platform, aims to transition to proof of stake next year.

Unnecessary Evil

Micali thinks proof of work was a great idea when it first came out, but now that we have seen the consequences, he calls it an “unnecessary evil” for several reasons.

“The first time I heard about Bitcoin, I saw all the difficulties. To me, the main difficulty is the waste of computational resources. That is really appalling,” he said. “It drives up prices and depletes the planet of resources.”

Second, he sees miners as “a new center of power” and an orthogonal force to the real users of the system: the coin holders.

“If five mining pools can control what goes in or does not go in a block, in what sense is the ledger decentralized? You don’t want miners having control over the ledger, particularly when they have low margins, are far away and accountable to no one. I think it is a recipe for disaster,” he said.

Finally, transaction ambiguity does not sit well with him. In Bitcoin, occasionally two blocks are found at roughly the same time, creating a temporary fork in the chain. When that happens, the branch with the greater hash power is elongated, while the other and its blocks “disappear.” If your transactions happened to be in an orphaned block, it will eventually get picked up again in the main chain, but for Micali, the idea is unsettling.

“Every time I see my transaction is in a block, I worry the block may disappear. But never mind anxious people like me; banks may not be willing to take on the additional risk,” he said. “Can you imagine a financial world where wire transfers could be taken back?”

Natural Democracy

Micali thinks proof of stake is a better option. In proof of stake, there are no miners, just the coin holders. Further, a coin holder’s ability to create or validate a block is based on how many coins in the system he or she owns.

“This is a natural interpretation of democracy,” Micali said. “Your influence in maintaining the integrity of the system is based on how much you are really invested in the system.”

But there is a catch: creating a proof-of-stake algorithm is hard to do. While several projects claim to have come up with a secure protocol, Micali thinks some of those claims are questionable. “The fact is, people can claim anything they want,” he said.

One of the biggest challenges in proof of stake is the “nothing at stake” problem. If the chain forks, the optimal strategy for any coin holder is to extend both chains to earn additional block rewards or to double spend. That goes against the central design goal of all blockchains: getting users to converge on a single chain.

Some projects are looking at ways to sculpt their proof-of-stake protocols by adding perks or punishments to get coin holders to abide by the rules. As part of that, some proof-of-stake systems require users to put up a type of security deposit or bond.

Micali feels a well-designed proof-of-stake cryptocurrency should stand on its own, however, without extra measures. He thinks bonding opens doors to bad actors.

“Let me ask you, what fraction of your disposable income can you put on the table and not touch?” he said and suggested that honest people will put up only a small amount, ceding control to bad actors with big pockets.

“The danger is that only bad people will give up control over a large amount of money to manipulate the system. And if they earn much more money by misbehaving, they will be happy to lose what they put on the table,” he said.

He also disagrees with the idea of using punishment to get users to fall in line.

“A weak state rules through threats and fear,” he said, comparing the practice to barbaric punishments used by some nations to fight crime. Why do they do it? Because criminals are so rarely caught, he said. “So once they catch one, they disembowel the poor guy.”

He continued, “Do you want to oust somebody who misbehaves? Of course. But a well organized system is one in which you don’t need to punish people.”

Bitcoin and Ethereum

Most people view Bitcoin solely as a cryptocurrency, but Micali thinks the greatest value of Bitcoin and Ethereum are as enablers of smart contracts, in which users can stipulate if-then conditions around payments.

“At the end of the day, doing only payments is easy,” he said, adding that he did not want to trivialize the problem. “Of course, decentralized payments are better than centralized payments, but what really differentiates a cryptocurrency from any other form of money is that you can actually do a smart contract.”

Based on that, he thinks that both Bitcoin and Ethereum would benefit from implementing the best consensus algorithm available. Currently, both systems are “huffing and puffing,” he said. Bitcoin is constrained to 7 transactions per second, while Ethereum can process only 15 per second, compared to Visa’s 2,000 per second.

“If the blockchain scales, isn’t it better for Bitcoin and Ethereum? If the blockchain has a [mathematical] proof of security, isn’t it better for its users?” he said. “If the blockchain cannot be hijacked by miners who are accountable to nobody and live in some faraway jurisdiction, isn’t that a plus for all users?” Micali thinks so.